blog.calif.io
This article walks through a newly discovered use-after-free vulnerability in PHP's
unserialize() function,
tracing it back to a missing lock in a code path introduced with PHP 5.1.
It shows that old design decisions can remain reachable, relevant, and
dangerous long after everyone assumes the terrain is well understood.
Picked by Stefan Priebsch –
"Code is not only an asset; it is also a liability. This article shows how every line can carry hidden risk,
sometimes lying dormant for decades before becoming exploitable."
sektioneins.de
It is great to see Stefan Esser associated with PHP security again.
Few people have shaped the field as deeply,
with work such as the Hardened-PHP Project, Suhosin, and the
Month of PHP Bugs.
This historic article is a good example of the depth and precision of his work.
Picked by Sebastian Bergmann –
"Stefan Esser’s work has held up exceptionally well over time.
I picked this article to raise security awareness in preparation
for what may come once Claude Mythos is used to look at PHP."
phrack.org
Famous hacker Orange Tsai’s article turns PHP security into a story about curiosity, persistence, and the
creative culture of the security researcher community.
It shows how playful exploration of familiar systems can uncover forgotten lessons, preserve
community knowledge, and push security research forward.
Picked by Stefan Priebsch and Sebastian Bergmann –
"Security research is about revealing how familiar systems fail when real-world use exceeds the assumptions
their designers made."
